How should I host the id of the user on the session? just to insert the id? I mean (for example):
$_SESSION['id'] = 1;
There isn’t a way to change it by the user himself (as cookie..)? Because if so, he can change to any id.
One more question about it – how can I check if user is logged in (with sessions)? I created a session:
$_SESSION['is_logged_in'] = true;
Again, can’t the user just create a session which his name is ‘is_logged_in’ and his value is true? or just the server has a control about the value of the server?
All session variables in PHP are stored server side.
The client stores a cookie that references which session should be used, and then the server looks up the values for the session.
It is safe to store is_logged_in in your session as well as the user id.
What you should be aware of is if another user gets a hold of another user’s session cookie, they will be able to imitate that user until the session times out. One simple solution is to link sessions to IPs.